Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 11 Page 1 CS 236 Online Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible –Good.

Published byMiles Craig Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 11 Page 1 CS 236 Online Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible –Good."— Presentation transcript:

1 Lecture 11 Page 1 CS 236 Online Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible –Good behavior on one system is bad behavior on another –Behaviors change and new vulnerabilities are discovered Intrusion detection systems must change to meet needs

2 Lecture 11 Page 2 CS 236 Online How Do Intrusion Detection Systems Evolve? Manually or semi-automatically –New information added that allows them to detect new kinds of attacks Automatically –Deduce new problems or things to watch for without human intervention

3 Lecture 11 Page 3 CS 236 Online A Problem With Manually Evolving Systems System/network administrator action is required for each change –To be really effective, not just manual installation –More customized to the environment Too heavy a burden to change very often So they change slowly, akin to software updates

4 Lecture 11 Page 4 CS 236 Online A Problem With Evolving Intrusion Detection Systems Very clever intruders can use the evolution against them Instead of immediately performing dangerous actions, evolve towards them If the intruder is more clever than the system, the system gradually accepts the new behavior Possible with manual changing systems, but harder for attackers to succeed

5 Lecture 11 Page 5 CS 236 Online Intrusion Detection Tuning Generally, there’s a tradeoff between false positives and false negatives You can tune the system to decrease one –Usually at cost of increasing the other Choice depends on one’s situation

6 Lecture 11 Page 6 CS 236 Online Practicalities of Operation Most commercial intrusion detection systems are add-ons –They run as normal applications They must make use of readily available information –Audit logged information –Sniffed packets –Output of systems calls they make And performance is very important

7 Lecture 11 Page 7 CS 236 Online Practicalities of Audit Logs for IDS Operating systems only log certain stuff They don’t necessarily log what an intrusion detection system really needs They produce large amounts of data –Expensive to process –Expensive to store If attack was successful, logs may be corrupted

8 Lecture 11 Page 8 CS 236 Online What Does an IDS Do When It Detects an Attack? Automated response –Shut down the “attacker” –Or more carefully protect the attacked service Alarms –Notify a system administrator Often via special console –Who investigates and takes action Logging –Just keep record for later investigation

9 Lecture 11 Page 9 CS 236 Online Consequences of the Choices Automated –Too many false positives and your network stops working –Is the automated response effective? Alarm –Too many false positives and your administrator ignores them –Is the administrator able to determine what’s going on fast enough? Logging –Doesn’t necessarily lead to any action

10 Lecture 11 Page 10 CS 236 Online How Good Does an IDS Have To Be? Depends on what you’re using it for Like biometric authentication, need to trade off false positives/false negatives Each positive signal (real or false) should cause something to happen –What’s the consequence?

11 Lecture 11 Page 11 CS 236 Online False Positives and IDS Systems For automated response, what happens? Something gets shut off that shouldn’t be –May be a lot of work to turn it on again For manual response, what happens? Either a human investigates and dismisses it Or nothing happens If human looks at it, can take a lot of his time

12 Lecture 11 Page 12 CS 236 Online Consider a Case for Manual Response Your web site gets 10 million packets per day Your IDS has a FPR of.1% on packets –So you get 10,000 false positives/day Say each one takes one minute to handle That’s 166 man hours per day –You’ll need 20+ full time experts just to weed out false positives

13 Lecture 11 Page 13 CS 236 Online What Are Your Choices? Tune to a lower FPR –Usually causing more false negatives –If too many of those, system is useless Have triage system for signals –If first step is still human, still expensive –Maybe you can automate some of it? Ignore your IDS’ signals –In which case, why bother with it at all?

14 Lecture 11 Page 14 CS 236 Online Intrusion Prevention Systems Essentially a buzzword for IDS that takes automatic action when intrusion is detected Goal is to quickly take remedial actions to threats Since IPSs are automated, false positives could be very, very bad “Poor man’s” version is IDS controlling a firewall

15 Lecture 11 Page 15 CS 236 Online Sample Intrusion Detection Systems Snort Bro RealSecure ISS NetRanger

16 Lecture 11 Page 16 CS 236 Online Snort Network intrusion detection system Public domain –Designed for Linux –But also runs on Windows and Mac Designed for high extensibility –Allows easy plug-ins for detection –And rule-based description of good & bad traffic Very widely used

17 Lecture 11 Page 17 CS 236 Online Bro Like Snort, public domain network based IDS Developed at LBL Includes more sophisticated non- signature methods than Snort More general and extensible than Snort Maybe not as easy to use

18 Lecture 11 Page 18 CS 236 Online RealSecure ISS Commercial IDS Bundled into IBM security products Distributed client/server architecture –Incorporates network and host components Other components report to server on dedicated machine

19 Lecture 11 Page 19 CS 236 Online NetRanger Bundled into Cisco products –Under a different name For use in network environments –“Sensors” in promiscuous mode capture packets off the local network Examines data flows –Raises alarm for suspicious flows Using misuse detection techniques –Based on a signature database

20 Lecture 11 Page 20 CS 236 Online Is Intrusion Detection Useful? 69% of CIS survey respondents (2008) use one –54% use intrusion prevention In 2003, Gartner Group analyst called IDS a failed technology –Predicted its death by 2005 –They’re not dead yet Signature-based IDS especially criticized

21 Lecture 11 Page 21 CS 236 Online Which Type of Intrusion Detection System Should I Use? NIST report 1 recommends using multiple IDSs –Preferably multiple types E.g., host and network Each will detect different things –Using different data and techniques Good defense in depth 1 http://csrc.nist.gov/publications/nistir/nistir-7007.pdf

22 Lecture 11 Page 22 CS 236 Online The Future of Intrusion Detection? General concept has never quite lived up to its promise Yet alternatives are clearly failing –We aren’t keeping the bad guys out So research and development continues And most serious people use them –Even if they are imperfect

23 Lecture 11 Page 23 CS 236 Online Conclusions Intrusion detection systems are helpful enough that those who care about security should use them They are not yet terribly sophisticated –Which implies they aren’t that effective Much research continues to improve them Not clear if they’ll ever achieve what the original inventors hoped for

Download ppt "Lecture 11 Page 1 CS 236 Online Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible –Good."

Similar presentations

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
seminar on Intrusion detection system

seminar on Intrusion detection system
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Installing Samba Vicki Insixiengmay Jonathan Krieger.

Installing Samba Vicki Insixiengmay Jonathan Krieger.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.

Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.

Similar presentations

Ads by Google